Developers have successfully patched a loophole used by an attacker to exploit Wormhole, a bridge protocol used to transfer tokens between the Solana and Ethereum networks.
According to a tweet by Wormhole, facts that ZyCrypto can now confirm following a series of ETH transactions, the attacker had exploited a vulnerability on the bridge, siphoning 120k wrapped ether valued at $323M.
According to experts who are now immersed in restoring the bridge’s functionality, it was hard to tell how the attacker engineered the exploit. At first, they were torn between ascertaining if the attacker had accessed the private keys or exploited the bridge but later decided to work backward to track the exploiter’s footprints.
When users send assets from one chain to another, Wormhole usually locks the assets and mints a wrapped version of the tokens before releasing them to the destination chain.
In the first transaction, the attacker transmitted 80k ETH from Solana to Ethereum. He later did a further aggregate dealing of 120k ETH which was minted out of thin air triggering the transfer of real funds according to Kelvin Fitcher, a smart contracts dev for Ethereum Optimism.
“The attacker was able to mint Wormhole ETH on Solana, so they were able to correctly withdraw it back to Ethereum.” he tweeted.
SamCzSun, a software developer at paradigm who joined forces with two other developers to reverse engineer the exploit stated, “Wormhole didn’t properly validate all input accounts, which allowed the attacker to spoof guardian signatures and mint 120,000 ETH on Solana, of which they bridged 93,750 back to Ethereum.”
Wormhole developers have since put up a bounty reward for the return of the loot.
This is one of the largest exploits in DeFi history and the biggest bridge hack to date, adding to the more than $2 billion losses suffered in DeFi hacks.
Although DeFi is hailed as one of the biggest progress in the blockchain ecosystem, with the Total Value Locked in assets exploding to new highs year to date, the risk of attacks has equally skyrocketed prompting various users to think otherwise.
“This demonstrates once again that the security of DeFi services has not reached a level that is appropriate for the huge sums being stored within them. The transparency of the blockchain is allowing attackers to identify and exploit major bugs, ” said Tom Robinson, the Chief Scientist of blockchain analysis firm Elliptic commented following the Wormhole heist.
Ethereum’s Vitalik Buerin has also expressed distaste with cross-chain networks due to their vulnerability to attacks whilst fronting multi-chain networks as the future of DeFi.